This document explains how to configure GRE over IPSec routing through
a hub site to multiple remote sites. The Cisco 7206 router is the central site
router, to which all the other sites connect through IPSec. The Cisco 2610,
3620, and 3640 routers are the remote routers. All sites are able to reach the
main network behind the Cisco 7206 and all other remote sites through the
tunnel to the main site, with routing updates taking place automatically via
Enhanced Interior Gateway Routing Protocol (EIGRP).

The information in this document is based on these software and
hardware versions:

Cisco 7206 Router running Cisco IOS® Software Release 12.3(1) IK9S

Cisco 2621XM Router running Cisco IOS Software Release 12.3(1) IK9S

Cisco 3640 Router running Cisco IOS Software Release 12.3(1) IK9S

Cisco 3640 Router running Cisco IOS Software Release 12.3(1) IK9S

The information presented in this document was created from devices in
a specific lab environment. All of the devices used in this document started
with a cleared (default) configuration. If you are working in a live network,
ensure that you understand the potential impact of any command before using
it.

The tunnel source for each tunnel is the FastEthernet1/0 interface,
or the interface that is the Internet connection. The tunnel destination is the
IP address of the remote router's Internet interface. Each tunnel should have
an IP address on a different, unused subnet.

Configure the GRE tunnels on the Cisco 2610, 3620, and 3640
routers. The configurations are similar to the Cisco 7206
router.

Each remote router uses its local interface that connects to the
Internet as the tunnel source. The remote routers correspond to the tunnel
destination IP addresses in the configuration on the Cisco 7206 router. The
tunnel destination IP address for each remote router corresponds to the IP
address of the interface of the Cisco 7206 router that connects to the
Internet. The IP address of the tunnel interface corresponds to an IP address
on the same subnet as the tunnel interface of the Cisco 7206 router.

Ensure that each remote router can ping the IP address of the
tunnel destination and the main router's corresponding tunnel interface.

Also, ensure that each router is pingable from the central site
router.

If the GRE tunnels come up, proceed with encrypting. First, create
access lists to define the traffic for encryption.

The access lists permit traffic from the local IP address on each
router to the IP address on the opposite end. Use the show
version command to display the software version the Cache Engine
is running.

The ISAKMP policy, key, and IPSec transform set must match on both
sides of a single tunnel. Not all tunnels have to use the same policy, key, or
transform set. In this example, all tunnels use the same policy, key, and
transform set for simplicity.

To configure the routing protocol, configure all sites with the
autonomous system number and instruct the routing protocol (EIGRP) to share
routes. Only networks that are included in the network statements are shared
with the other routers by the routing protocol. The autonomous system number
must match in all routers that participate in the sharing of routes. In this
example, networks that can be summarized into one network statement are used
for simplicity.